copy this blog

The Managing Electronic Records Conference put on by Cohasset Associates was a very good experience. I attended as a student volunteer, and I met several persons in schools similar to our iSchool across the country, as well as vendors, consultants, professionals, and so on.

Electronic records aren’t exactly a recent interest of mine- I’ve been looking into retention schedules and how they might impact my job for some time. I’ve also had an interest in privacy and security. Recently, though, as I’ve been looking into archives and electronic records, the records management issues both at work and in the world have affected the way I examine these other issues.

Two stories from BNA’s Internet Law News today caught my interest:
Industry, Others Object to Data Retention
The story is about Alberto Gonzales’ call for greater records retention on the part ISPs. Once again, the excuses for this proposed action come from increased law enforcement powers related to terrorism and child pornography. However, ISPs are noting that there are security, privacy, technical and other issues related to this proposal. Government has been very much failing in privacy-related matters recently. This particular matter also affects ISPs such as universities and libraries, and many of these institutions as a matter of regular operation don’t keep transitory logs, for good reason. The privacy of students and patrons is incredibly important, as both a matter of established law and institutional or professional values. We haven’t really seemed to have good public discussions about privacy and why people should care about privacy, related to abuse, dignity, and so on. That type of talk needs to be part of the decision-making process.

We’re also constantly bombarded with one of the risks of records retention: stolen and lost information, and the risk of identity theft. See the second story from BNA News, Toronto Firm at Center of Security Breach. A piece of equipment that had the names and social security numbers of 1.3 MILLION students has been lost. These aren’t Canadian students, either- they’re students who borrowed from a Round Rock, TX based loan institution. Yes, just next to Austin. So, what are the risks to keeping even more personal information that wouldn’t have been kept in the first place? Privacy and data protection laws exist for a reason. They’re not just to limit cost and liability, although those certainly affect businesses. We really need a full understanding of the possibly harms that could come from such a law, instead of the rush from certain members of Congress to pass these things through.

Of course, there are also many procedural issues. Laws that affect records exist at both the federal (Sarbones-Oxley, FERPA) and state (library, government records) levels. There are also regulatory and legal concerns that govern record keeping behavior. These would need to be reconciled with such a broad change.

EFF: Sony BMG Settlement Info

The Electronic Frontier Foundation is encouraging people to claim their due from Sony/BMG, which was due to the security nightmare caused by their overreaching copyright protection mechanisms.

Speaking of settlements, I recently ran into a reminder of an older CD settlement related to charges of price-fixing. As part of that settlement, the industry promised to give libraries and other institutions CDs to promote musical programs and activities, and made very grand statements about how they would not be providing overstocks or titles that you would want to throw away. That, apparently, was not at all honest.

My mother is the Coordinator for Technology Integration at Region One in the state of Texas, which serves all of south Texas’s school districts. Like the other stories I linked above, they are distributing multiple copies of the same CDs, some very obscure, some marked for promotional use only, and so on. There were so many of the same ones, so little interest in some of these CDS, that now they are going to have to destroy the remainder of what they received. They couldn’t get anyone to take them.

Slashdot | Diebold Whistle-Blower Charged With Felony Access

From Slashdot, a disturbing article involving the person who blew the whistle on Diebold.

Added a new site to the blog list- Sound Evidence, a site about electronic discovery and similar issues. Definitely an important subject when considering the law and electronic resources, records, computer security, and so on.

There’s a lot of chatter about recent actions by the RIAA on the SANS Unisog (University Security Operations Group) list. (For some reason, not all the messages are appearing on the listserv, but there are more there.) Apparently, the RIAA is informing the universities that they will be subpeoned as to the identity of particular users. I’m not sure if those letters of intent indicate that the university in question should be treating their records retention in any way differently then they have been treating it. The letters allegedly cite 18 USC 2703(f) (see the link to the message above). My questions are: does that statute apply, and if so is the university then required to save those logs upon receiving that notice? That portion of the law seems to apply to governmental entities, so I would think that once the government requested it you would need to, but not when the RIAA requests it. But IANAL. I’ll have to find someone to ask.

On an unrelated related note ^_-, it’s interesting how security or IT people are often the people who receive DMCA notices. In my experience, not all of us are particularly copyright savvy, although that is changing to some extent. Thankfully, a lot of us have access to legal counsel. ^_^

You know, I’ve really never liked the term “DRM” (Digital Rights Management). Whose rights are being protected? Who’s managing these rights? The customer is not the answer to either of these questions.

At any rate, there’s a pretty good article on the BBC talking about the pros and cons of Trusted Computing and DRM.

Quick break from work…

I’ve found incredibly little information about the way someone told others how to “hack” into Apply Yourself, Inc. service to determine if they were accepted to Harvard, Stanford, MIT, and other colleges. I’ve seen lots of news referring to “hacking,” “data thief,” “security breach,” “cracking” and other terminology that didn’t provide much technical information. It makes me wonder if this event was as much of a non-hack as the Choicepoint “hack” or if this event was similar to other cases in which people just added text to a url, particularly since apparently students could only access their own information (leading me to believe they were authenticated in some way before following those elusive instructions).

It appears that Harvard is automatically rejecting anyone’s record who was accessed based on that fact- they hold the applicants responsible for the use of their accounts.

While the access was likely improper, I am curious about terms of service and the use of the H word…

Update: Yup. Looking at the originating BusinessWeek forums, it looks like all the applicants did was type in a url. The forums are crawling with posts and article reprints (copyright violation? ^_-). Here’s an excerpt:

—
No security safeguards were bypassed _ the applicants simply took an open route to their pages that hadn’t been publicized, said the man, who is in his 20s and is from the Midwest.
—